From: Sasha Levin <Alexander.Levin@microsoft.com>
To: "stable@vger.kernel.org" <stable@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Cc: Bo Chen <chenbo@pdx.edu>,
Jeff Kirsher <jeffrey.t.kirsher@intel.com>,
Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [PATCH AUTOSEL 4.9 06/14] e1000: check on netif_running() before calling e1000_up()
Date: Thu, 20 Sep 2018 02:48:46 +0000 [thread overview]
Message-ID: <20180920024838.58666-6-alexander.levin@microsoft.com> (raw)
In-Reply-To: <20180920024838.58666-1-alexander.levin@microsoft.com>
From: Bo Chen <chenbo@pdx.edu>
[ Upstream commit cf1acec008f8d7761aa3fd7c4bca7e17b2d2512d ]
When the device is not up, the call to 'e1000_up()' from the error handling path
of 'e1000_set_ringparam()' causes a kernel oops with a null-pointer
dereference. The null-pointer dereference is triggered in function
'e1000_alloc_rx_buffers()' at line 'buffer_info = &rx_ring->buffer_info[i]'.
This bug was reported by COD, a tool for testing kernel module binaries I am
building. This bug was also detected by KFI from Dr. Kai Cong.
This patch fixes the bug by checking on 'netif_running()' before calling
'e1000_up()' in 'e1000_set_ringparam()'.
Signed-off-by: Bo Chen <chenbo@pdx.edu>
Acked-by: Alexander Duyck <alexander.h.duyck@intel.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
index 975eeb885ca2..bdb85282137b 100644
--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
+++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
@@ -665,7 +665,8 @@ static int e1000_set_ringparam(struct net_device *netdev,
err_alloc_rx:
kfree(txdr);
err_alloc_tx:
- e1000_up(adapter);
+ if (netif_running(adapter->netdev))
+ e1000_up(adapter);
err_setup:
clear_bit(__E1000_RESETTING, &adapter->flags);
return err;
--
2.17.1
next prev parent reply other threads:[~2018-09-20 2:53 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-20 2:48 [PATCH AUTOSEL 4.9 01/14] qed: Wait for ready indication before rereading the shmem Sasha Levin
2018-09-20 2:48 ` [PATCH AUTOSEL 4.9 02/14] qed: Wait for MCP halt and resume commands to take place Sasha Levin
2018-09-20 2:48 ` [PATCH AUTOSEL 4.9 04/14] net: hns: fix length and page_offset overflow when CONFIG_ARM64_64K_PAGES Sasha Levin
2018-09-20 2:48 ` [PATCH AUTOSEL 4.9 03/14] thermal: of-thermal: disable passive polling when thermal zone is disabled Sasha Levin
2018-09-20 2:48 ` [PATCH AUTOSEL 4.9 05/14] net: hns: fix skb->truesize underestimation Sasha Levin
2018-09-20 2:48 ` Sasha Levin [this message]
2018-09-20 2:48 ` [PATCH AUTOSEL 4.9 07/14] e1000: ensure to free old tx/rx rings in set_ringparam() Sasha Levin
2018-09-20 2:48 ` [PATCH AUTOSEL 4.9 08/14] hwmon: (ina2xx) fix sysfs shunt resistor read access Sasha Levin
2018-09-20 2:48 ` [PATCH AUTOSEL 4.9 09/14] hwmon: (adt7475) Make adt7475_read_word() return errors Sasha Levin
2018-09-20 2:48 ` [PATCH AUTOSEL 4.9 10/14] drm/amdgpu: Enable/disable gfx PG feature in rlc safe mode Sasha Levin
2018-09-20 2:48 ` [PATCH AUTOSEL 4.9 12/14] arm/arm64: smccc-1.1: Make return values unsigned long Sasha Levin
2018-09-20 2:48 ` [PATCH AUTOSEL 4.9 11/14] drm/amdgpu: Update power state at the end of smu hw_init Sasha Levin
2018-09-20 2:48 ` [PATCH AUTOSEL 4.9 13/14] arm/arm64: smccc-1.1: Handle function result as parameters Sasha Levin
2018-09-20 2:48 ` [PATCH AUTOSEL 4.9 14/14] i2c: i801: Allow ACPI AML access I/O ports not reserved for SMBus Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180920024838.58666-6-alexander.levin@microsoft.com \
--to=alexander.levin@microsoft.com \
--cc=chenbo@pdx.edu \
--cc=jeffrey.t.kirsher@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).